_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 104 September 27, 2011 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "Metasploit The Penetration Tester's Guide" by David Kennedy, Jim O'Gorman, Devon Kearns and Mati Aharoni o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar list o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This is the time of year when we remind all researchers to consider submitting papers to the Security and Privacy Symposium. The deadline for this flagship conference of the IEEE Computer Society's Technical Committee on Security and Privacy is November 16. The conference program has been expanding during the last several years, a trend that will probably continue. Also, the popular "Systemization of Knowledge" papers are again welcome. The Symposium is changing its location, for the first time since its inception it will not be held at the Claremont Hotel. The contract for a location in downtown San Francisco is all but final, and it will be announced soon. The change will allow the symposium to grow well beyond the 360 person limit that plagued the 2011 meeting. The 2012 conference will have more workshops, and Sven Dietrich, as the chair of SPW (Security and Privacy Workshops) has been reviewing proposals and plans during the summer. Watch for announcements soon. I have wondered recently if the continual assault of social media on our privacy has any longterm purpose. Although one motivation is to keep our interest, the financial motivation is to make advertising more effective. Is there some natural limit to consumerism? How much better can we be at buying stuff? If I have all the information in the world available to me, would I choose milk chocolate over dark chocolate? Probably not, some things are unchangeable. When you wish OnStar, Facebook knows who you are. Happy Autumn, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== ____________________________________________________________________ Book Review By Richard Austin Sep. 24, 2011 ____________________________________________________________________ "Metasploit The Penetration Tester's Guide" by David Kennedy, Jim O'Gorman, Devon Kearns and Mati Aharoni No Starch Press 2011. ISBN 978-1-59327-288-3 Amazon.com USD 27.24; Table of Contents: http://nostarch.com/metasploit#toc Metasploit has been called a lot of things depending on which side of the IT security equation you call home but the reality is that it is a powerful tool for use by both security professionals and their adversaries. It both automates and provides building blocks for attacks against the assets we are charged to protect. Previously, documentation on Metasploit was fragmented and rather obscure as it tended to be scattered across a wide universe of project wikis, articles and folklore. This book provides a solid starting point for becoming familiar with the capabilities and use of this tool whether one is a penetration tester or charged with defending information assets. It is a technical book and requires s good understanding of systems and software to derive maximum benefit. Its presentation is heavily based on examples that illustrate the tools in operation. An appendix (which paradoxically should be the first thing you read) explains how to build exploitable Windows and Linux env ironments to support working through the examples. The worked-out examples are based, I believe, on Back|Track 4 so if the reader is using Back|Track 5, as I was, there will be some required minor translations of directory locations, etc, to reflect the new release. As with any book by multiple authors, there is some unevenness in presentation. Some examples are written from a tutorial perspective while others just paint the major signposts along the way. There are also some production issues such as a missing figure on page 83 and a duplication of figure 14-1 as 14-4. There is also rather of a howler on page 216 where the ESP register is described as the extended "starter pointer" instead of "stack pointer". However, these are definitely minor blemishes. The book provides an excellent overview of the state of the art in exploitation of both technical and human vulnerabilities. The presentation in chapter 10 on "The Social Engineer's Toolkit" (SET) is a sobering walk through of how human behavior can be exploited to achieve an adversary's result. The discussion of how SET can be used in combination with a hardware device such as the Teensy USB microcontroller illustrates just how inventive our adversaries have become. The final chapter of the book presents a detailed walkthrough of Metasploit's use in a simulated penetration test. The book leaves the reader with a shocking appreciation of just how easy it is to perform these attacks with the proper tools. While Metasploit makes some attacks so simple that a "script kiddie" could mount them, its truly frightening capabilities lie in the framework's building blocks for constructing powerful, blended attacks worthy of the true professional. Whether you are a penetration tester or a technical security professional, quality time spent working through this book will add valuable tools and insight to your professional repertoire. ---- Before beginning life as a university instructor and independent cybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu _____________________________________________________________________________ Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== New listings: Naval Postgraduate School Monterey, California CS Department Faculty Positions Open until filled http://www.nps.edu/Academics/Schools/GSOIS/Departments/CS/Faculty/Openings/CSFacultyOpenings.html Posted June 2011 (updated August 2011) University of Waterloo Waterloo, ON, Canada Postdoctoral Research Position Open until filled http://crysp.uwaterloo.ca/prospective/postdoc/ Full list: http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Cipher calendar announcements are on Twitter; follow "ciphernews" Date (Month/Day/Year), Event, Locations, web page for more info. 9/26/11- 9/28/11: CRiSIS, 6th International Conference on Risks and Security of Internet and Systems, Timisoara, Romania; http://www.crisis-conference.org/ 9/30/11: Elsevier Computers & Electrical Engineering, Special Issue on Recent Advances in Security and Privacy in Distributed Communications; http://www.elsevierscitech.com/cfp/CEE-SI-Recent-Advances- Security-Privacy.pdf; Submissions are due 9/30/11: CoSec, 3rd IEEE Workshop on Collaborative Security Technologies, Bangalore, India; http://www.imsaa.org/; Submissions are due 10/01/11: IEEE Systems Journal, Special Issue on Security and Privacy in Complex Systems; http://isj.engineering.utsa.edu/special.php?issue=spc; Submissions are due 10/ 7/11: IFIP-DF, 8th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Pretoria, Pretoria, South Africa; http://www.ifip119.org; Submissions are due 10/ 7/11: POST, 1st Conference on Principles of Security and Trust, Tallinn, Estonia; http://web.cs.wpi.edu/~guttman/post12/ Submissions are due 10/17/11: STC, 6th ACM Workshop on Scalable Trusted Computing, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://www.cs.utsa.edu/~acmstc/stc2011/ 10/17/11: WPES, 10th ACM Workshop on Privacy in the Electronic Society, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://wpes11.rutgers.edu/ 10/19/11: SecIoT, 2nd Workshop on the Security of the Internet of Things, Held in conjunction with IEEE iThings 2011, Dalian, China; http://www.isac.uma.es/seciot11 10/21/11: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://crypto.cs.stonybrook.edu/ccsw11 10/21/11: AISec, 4th Workshop on Artificial Intelligence and Security, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA; http://tsig.fujitsulabs.com/~aisec2011/ 10/24/11-10/26/11: DSPSR, 1st IEEE/IFIP EUC Workshop on Data Management, Security and Privacy in Sensor Networks and RFID, Held in conjunction with the 9th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC 2011), Melbourne, Australia; http://www.deakin.edu.au/~rchell/DSPSR2011.html 10/26/11-10/28/11: Nordsec, 16th Nordic Workshop on Secure IT-Systems, Tallinn, Estonia; http://nordsec2011.cyber.ee 10/31/11: WECSR, 3rd Workshop on Ethics in Computer Security Research, Divi Flamingo Resort, Bonaire; http://www.cs.stevens.edu/~spock/wecsr2012/cfp.html; Submissions are due 11/ 7/11-11/ 9/11: eCrime Researchers Summit, 6th IEEE eCrime Researchers Summit, Held in conjunction with the 2011 APWG General Meeting, San Diego, CA, USA; http://ecrimeresearch.org 11/16/11: SP, 33rd IEEE Symposium on Security and Privacy, San Francisco Bay Area, California, USA; http://www.ieee-security.org/TC/SP2012/cfp.html; Submissions are due 11/16/11: USEC, Workshop on Usable Security, Held in conjunction with the Financial Cryptography and Data Security (FC 2012), Divi Flamingo Beach Resort, Bonaire; http://infosecon.net/usec12/index.php; Submissions are due 11/16/11: TSCloud, 1st IEEE International Workshop on Trust and Security in Cloud Computing, Changsha, China; http://tscloud.org 11/16/11-11/18/11: TrustCom, 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Changsha, China; http://trust.csu.edu.cn/conference/trustcom2011 11/27/11-11/29/11: INTRUST, International Conference on Trusted Systems, Beijing, China; http://www.onets.com.cn/intrust11 11/29/11-12/ 2/11: WIFS, IEEE Workshop on Information Forensics and Security, Foz do Iguacu, Brazil; http://www.wifs11.org 12/01/11: Elsevier Computer Networks, Special Issue on Botnet Activity: Analysis, Detection and Shutdown; http://www.elsevierscitech.com/dronsite/CFP_SIonBotnetActivity.pdf; Submissions are due 12/ 5/11-12/ 9/11: ACSAC, 27th Annual Computer Security Applications Conference, Orlando, Florida, USA; http://www.acsac.org/ 12/ 9/11: WPLS, Workshop on Physical Layer Security, Held in conjunction with the IEEE Globecom Conference 2011, Houston, Texas, USA; http://www.comm.utoronto.ca/~akhisti/GlobecomWorkshop/ 12/11/11-12/14/11: WICT-NDF, World Congress on Information and Communication Technologies, Intrusion Detection and Forensics, Mumbai, India; http://www.mirlabs.org/wict11/index.php-c=main&a=show&id=34.htm 12/12/11: CoSec, 3rd IEEE Workshop on Collaborative Security Technologies, Bangalore, India; http://www.imsaa.org/ 12/12/11: COSADE, 3rd International Workshop on Constructive Side-Channel Analysis and Secure Design, Darmstadt, Germany; http://cosade2011.cased.de; Submissions are due 1/ 3/12- 1/ 5/12: IFIP-DF, 8th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Pretoria, Pretoria, South Africa; http://www.ifip119.org 1/ 4/12- 1/ 7/12: HICSS-ST, 45th Annual HAWAI'I International Conference on System Sciences, Software Technology Track, Grand Wailea Maui, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_45/apahome45.htm 1/10/12: SEC, 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece; http://www.sec2012.org; Submissions are due 2/ 5/12: ACNS, 10th International Conference on Applied Cryptography and Network Security, Singapore; http://icsd.i2r.a-star.edu.sg/acns2012; Submissions are due 2/ 5/12- 2/ 8/12: NDSS, Network & Distributed System Security Symposium, San Diego, California, USA; http://www.isoc.org/isoc/conferences/ndss/12/cfp.shtml 2/16/12- 2/17/12: ESSoS, 4th International Symposium on Engineering Secure Software and Systems, Eindhoven, The Netherlands; http://distrinet.cs.kuleuven.be/events/essos2012/ 2/27/12- 3/ 2/12: CT-RSA, RSA Conference, Cryptographers' Track, San Francisco, California, USA; http://ctrsa2012.cs.haifa.ac.il/ 2/27/12- 3/ 2/12: FC, 16th Financial Cryptography and Data Security, Divi Flamingo Beach Resort, Bonaire; http://fc12.ifca.ai/ 3/ 2/12: WECSR, 3rd Workshop on Ethics in Computer Security Research, Divi Flamingo Resort, Bonaire; http://www.cs.stevens.edu/~spock/wecsr2012/cfp.html 3/ 2/12: USEC, Workshop on Usable Security, Held in conjunction with the Financial Cryptography and Data Security (FC 2012), Divi Flamingo Beach Resort, Bonaire; http://infosecon.net/usec12/index.php 3/24/12- 4/ 1/12: POST, 1st Conference on Principles of Security and Trust, Tallinn, Estonia; http://web.cs.wpi.edu/~guttman/post12/ 5/ 3/12- 5/ 4/12: COSADE, 3rd International Workshop on Constructive Side-Channel Analysis and Secure Design, Darmstadt, Germany; http://cosade2011.cased.de 5/20/12- 5/23/12: SP, 33rd IEEE Symposium on Security and Privacy, San Francisco Bay Area, California, USA; http://www.ieee-security.org/TC/SP2012/cfp.html 6/ 4/12- 6/ 6/12: SEC, 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece; http://www.sec2012.org 6/26/12- 6/29/12: ACNS, 10th International Conference on Applied Cryptography and Network Security, Singapore; http://icsd.i2r.a-star.edu.sg/acns2012 7/15/11- 7/15/12: IEEE Internet Computing, Track Articles on Computer Crime; http://www.computer.org/portal/web/computingnow/cfptrack; Submissions are due ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E103) ___________________________________________________________________ Elsevier Computers & Electrical Engineering, Special Issue on Recent Advances in Security and Privacy in Distributed Communications, September 2012, (Submission Due 30 September 2011) http://www.elsevierscitech.com/cfp/CEE-SI-Recent-Advances-Security-Privacy.pdf Editor: Gregorio Martinez (University of Murcia, Spain), Felix Gomez Marmol (NEC Laboratories Europe, Germany), and Jose M. Alcaraz Calero (Hewlett-Packard Laboratories, United Kingdom) Security services need to be considered as part of most communication proposals being discussed nowadays in distributed communication environments. Additionally, in the last few years, privacy has been gaining interest from both the designers and the customers of security solutions, thus being considered now as a key aspect for them. For a good security and/or privacy design, one needs to be informed of the latest advances in this field, this being the main objective of this special issue. This special issue is intended to report the most recent research works related to security and privacy, particularly in the following fields: - Anonymity - Authentication - Authorization and access control - Critical Infrastructure Protection (CIP) - Data integrity and protection - Identity Management - Intrusion detection and prevention - End-to-end security solutions - Privacy enhancing technologies - Risk analysis and management - Security policies - Threats and vulnerabilities - Trust and reputation management in distributed scenarios ------------------------------------------------------------------------- CoSec 2011 3rd IEEE Workshop on Collaborative Security Technologies, Bangalore, India, December 12, 2011. (Submissions due 30 September 2011) http://www.imsaa.org/ The severity of attacks on networks and critical infrastructures are on the rise over recent years and seem to continue to do so. Surprisingly at times, many of the attacks can be individually simple yet highly damaging due to their large-scale co-ordination and polymorphic replication with continuous self-upgradation using a mix of peer-to-peer and command-and-control architectures. Conventional approaches of single-hosted security defensives are becoming increasingly less effective in the face of such sophisticated and co-ordinated multi-front attacks using bot-nets of compromised always-on, always-connected computers. In contrast, a distributed defense pattern shows promise both in terms of manageability, reduced operating costs and architectural simplicity. This broad area of defense using Collaborative Security technologies works on the principles of sharing (1) information and knowledge for accelerating detection of and response to new attacks and threats; and (2) resources for increasing the efficiency and reducing resource consumption. The 3rd International workshop on Collaborative Security Technologies aims to bring to the forefront innovative approaches that involve the use of collaborative methods for security and privacy. The central theme of this workshop is to focus attention on the collaborative and intelligent approaches towards design of security systems so as to make them more robust and reliable. ------------------------------------------------------------------------- IEEE Systems Journal, Special Issue on Security and Privacy in Complex Systems, 2012, (Submission Due 1 October 2011) http://isj.engineering.utsa.edu/special.php?issue=spc Editor: Sushil Jajodia (George Mason University, USA) and Pierangela Samarati (Universita` degli Studi di Milano, Italy) Today's information society relies on a globally interconnected infrastructure composed of diverse and widely distributed systems. It is of utmost importance to ensure proper protection to such complex systems, or systems-of-systems, to ensure security, privacy, and availability of the infrastructure as well as of resources and information it provides and manages. The problem is far from trivial, due to the criticality and the social impact of the applications and services relying on this global infrastructure, as well as the complexity given by the co-existence and co-operation of, possibly heterogeneous, component systems. The goal of this special issue is to collect high-quality contributions on security and privacy in complex systems and systems-of-systems. We solicit submissions from academia, industry, and government presenting novel and original research on all theoretical and practical aspects of security and privacy in complex systems. The focus of the special issue spans security and privacy theory, technology, methodology, and applications in complex systems. Submitted papers should therefore explicitly address issues in the complex system scenario. Topics of interest include, but are not limited, to the ones listed below provided that they are treated with specific focus on the complex system scenario: - access control - anonymity - applied cryptography - authentication - biometric security and privacy - cyber warfare and security - complex systems security - computer forensics - critical infrastructure protection - data and application security - data protection - data/system integrity - dependability, reliability, and availability - formal methods for security and privacy - human factors in security and privacy - identity management - insider threats - intrusion detection and prevention - knowledge extraction/representation for security - legal and ethical issues - middleware security - network security - operating systems security and privacy - protection from cyberhacking - security engineering - secure environments and applications - secure interoperability - security and privacy metrics - security and privacy policies - security and privacy in cloud computing - security and privacy in ad hoc networks - security and privacy in e-services - security and privacy in grid computing - security and privacy in mobile systems - security and privacy in monitoring systems - security and privacy in industrial systems - security and privacy in pervasive/ubiquitous computing - security and privacy in sensor networks - security and privacy in smart grid and distributed generation systems - security and privacy in social applications and networks - security and privacy in wireless sensor networks - security architectures - security management in complex scenarios - social implications of security and privacy - surveillance systems - threats, vulnerabilities, and risk management - transportation systems - trust management - usable security for complex systems - verification and validation of complex systems - web service security ------------------------------------------------------------------------- IFIP-DF 2012 8th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Pretoria, Pretoria, South Africa, January 3-5, 2012. (Submissions due 7 October 2011) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the eighth in the series entitled Research Advances in Digital Forensics in the summer of 2012. Revised and/or extended versions of selected papers from the conference will be published in special issues of one or more international journals. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- POST 2012 1st Conference on Principles of Security and Trust, Tallinn, Estonia, March 24 - April 1, 2012. (Submissions due 7 October 2011) http://web.cs.wpi.edu/~guttman/post12/ Principles of Security and Trust is a broad forum related to the theoretical and foundational aspects of security and trust. Papers of many kinds are welcome: new theoretical results, practical applications of existing foundational ideas, and innovative theoretical approaches stimulated by pressing practical problems. We seek submissions proposing theories to clarify security and trust within computer science; submissions establishing new results in existing theories; and also submissions raising fundamental concerns about existing theories. We welcome new techniques and tools to automate reasoning within such theories, or to solve security and trust problems. Case studies that reflect the strengths and limitations of foundational approaches are also welcome, as are more exploratory presentations on open questions. Areas of interest include: - Access control - Anonymity - Authentication - Availability - Cloud security - Confidentiality - Covert channels - Crypto foundations - Economic issues - Information flow - Integrity - Languages for security - Malicious code - Mobile code - Models and policies - Privacy - Provenance - Reputation and trust - Resource usage - Risk assessment - Security architectures - Security protocols - Trust management - Web service security ------------------------------------------------------------------------- WECSR 2012 3rd Workshop on Ethics in Computer Security Research, Divi Flamingo Resort, Bonaire, March 2, 2012. (Submissions due 31 October 2011) http://www.cs.stevens.edu/~spock/wecsr2012/cfp.html Computer security often leads to discovering interesting new problems and challenges. The challenge still remains to follow a path acceptable for Institutional Review Boards at academic institutions, as well as compatible with ethical guidelines for professional societies or government institutions. However, no exact guidelines exist for computer security research yet. This workshop will bring together computer security researchers, practitioners, policy makers, and legal experts. This workshop solicits submissions describing or suggesting ethical and responsible conduct in computer security research. While we focus on setting standards and sharing prior experiences and experiments in computer security research, successful or not, we tap into research behavior in network security, computer security, applied cryptography, privacy, anonymity, and security economics. This workshop will favor discussions among participants, in order to shape the future of ethical standards in the field. It will be co-located with the Sixteenth International Conference on Financial Cryptography and Data Security 2012. We solicit submissions in three categories: Position papers, Case studies, and Panel proposals. ------------------------------------------------------------------------- SP 2012 33rd IEEE Symposium on Security and Privacy, San Francisco Bay Area, California, USA, May 20-23, 2012. (Submissions due 16 November 2012) http://www.ieee-security.org/TC/SP2012/cfp.html Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of computer security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation of secure systems. Topics of interest include: - Access control - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship and censorship-resistance - Distributed systems security - Embedded systems security - Forensics - Hardware security - Intrusion detection - Language-based security - Malware - Metrics - Network security - Privacy-preserving systems - Protocol security - Secure information flow - Security and privacy policies - Security architectures - System security - Usability and security - Web security SYSTEMATIZATION OF KNOWLEDGE PAPERS: Following the success of the previous year's conference, we are also soliciting papers focused on systematization of knowledge. The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers will provide a high value to our community but would otherwise not be accepted because they lack novel research contributions. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Submissions will be distinguished by a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, except instead of emphasizing novel research contributions the emphasis will be on value to the community. Accepted papers will be presented at the symposium and included in the proceedings. ------------------------------------------------------------------------- USEC 2012 Workshop on Usable Security, Held in conjunction with the Financial Cryptography and Data Security (FC 2012), Divi Flamingo Beach Resort, Bonaire, March 2, 2012. (Submissions due 16 November 2011) http://infosecon.net/usec12/index.php Many aspects of data security combine technical and human factors. If a highly secure system is unusable, users will move their data to less secure but more usable systems. Problems with usability are a major contributor to many high-profile security failures today. However, usable security is not well-aligned with traditional usability for three reasons. First, security is rarely the desired goal of the individual. In fact, security is usually orthogonal and often in opposition to the actual goal. Second, security information is about risk and threats. Such communication is most often unwelcome. Increasing unwelcome interaction is not a goal of usable design. Third, since individuals must trust their machines to implement their desired tasks, risk communication itself may undermine the value of the networked interaction. For the individual, discrete technical problems are all understood under the rubric of online security (e.g., privacy from third parties use of personally identifiable information, malware). A broader conception of both security and usability is therefore needed for usable security. The workshop on Usable Security invites submissions on all aspects of human factors and usability in the context of security. USEC'12 aims to bring together researchers already engaged in this interdisciplinary effort with other researchers in areas such as economics, intelligent interactions, artificial intelligence, theoretical computer science, and modeling. We encourage AI, HCI, security, psychologists, risk analysts, computer scientists, security specialists, business school faculty, and industry experts to submit original research. We particularly encourage collaborative research from authors in multiple fields. ------------------------------------------------------------------------- COSADE 2012 3rd International Workshop on Constructive Side-Channel Analysis and Secure Design, Darmstadt, Germany, May 3-4, 2012. (Submissions due 12 December 2011) http://cosade2011.cased.de Side-channel analysis (SCA) and implementation attacks have become an important field of research at universities and in the industry. In order to enhance the resistance of cryptographic and security critical implementations within the design phase, constructive attacks and analyzing techniques may serve as a quality metric to optimize the design- and development process. This workshop provides an international platform for researchers, academics, and industry participants to present their work and their current research topics. It is an excellent opportunity to meet experts and to initiate new collaborations and information exchange at a professional level. The workshop will feature both invited presentations and contributed talks. ------------------------------------------------------------------------- SEC 2012 27th IFIP International Information Security and Privacy Conference, Creta Maris Hotel, Heraklion, Crete, Greece, June 4-6, 2012. (Submissions due 10 January 2012) please see http://www.sec2012.org Papers offering novel research contributions in any aspect of computer security are solicited for submission to the 27th IFIP International Information Security and Privacy Conference. The focus is on original, high quality, unpublished research and implementation experiences. Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. We encourage submissions of papers discussing industrial research and development. Papers should focus on topics which include, but are not limited to, the following: - Access control - Accountability - Anonymity - Applied Cryptography - Attacks & Malicious Code - Authentication & Delegation - Awareness & Education - Data Integrity - Database Security - Identity Management - Information Security Culture - Formal Security Verification - Mobile Code Security - Policies & Standards - Privacy Attitudes & Practices - Risk Analysis & Management - Security Architectures - Security Economics - Security in Location Services - Security in Social Networks - Security Models - Social Engineering & other Human-related Risks - System Security - Usable Security - Trust Models & Management - Trust Theories - Trustworthy User Devices ------------------------------------------------------------------------- ACNS 2012 10th International Conference on Applied Cryptography and Network Security, Singapore, June 26-29, 2012. (Submissions due 5 February 2012) http://icsd.i2r.a-star.edu.sg/acns2012 The conference seeks submissions from academia, industry, and government presenting novel research on all aspects of applied cryptography as well as network security and privacy. Papers describing novel paradigms, original directions, or non-traditional perspectives are also encouraged. The conference has two tracks: a research track and an industry track. Topics of interest include, but are not limited to: - Access control - Applied cryptography - Automated protocols analysis - Biometric security and privacy - Complex systems security - Critical infrastructure protection - Cryptographic primitives and protocols - Database and system security - Data protection - Digital rights management - Email and web security - Identity management - Intellectual property protection - Internet fraud - Intrusion detection and prevention - Key management - Malware - Network security protocols - Privacy, anonymity, and untraceability - Privacy-enhancing technology - Policies - Protection for the future Internet - Security in P2P systems - Security and privacy in cloud and grid systems - Security in e-commerce - Security in pervasive/ubiquitous computing - Security and privacy in distributed systems - Security and privacy in smart grids - Security and privacy in wireless networks - Security and privacy metrics - Secure mobile agents and mobile code - Trust management - Usability and security ------------------------------------------------------------------------- IEEE Internet Computing, Track Articles on Computer Crime, 2012, (Submission will be accepted for this track from 15 July 2011 to 15 July 2012) http://www.computer.org/portal/web/computingnow/cfptrack Editors: Nasir Memon (New York University, USA) and Oliver Spatscheck (AT&T, USA) As the Internet has grown and extended its reach into every part of people's lives, it shouldn't be surprising that criminals have seized the opportunity to expand their activities into this new realm. This has been fostered in particular by the fact that the Internet was designed as an open and trusting environment. Unfortunately many of these architectural choices are fundamental to the Internet's success and current architecture and are therefore hard to overcome. Computer crime ranges from rather simple crimes such as theft of intellectual property or computer and network resources to complex cooperate espionage or even cyber terrorism. This special track for Internet Computing seeks original articles that cover computer crime as it relates to the Internet. Appropriate topics include: - trends and classification of criminal activities on the Internet; - computer crime prevention, including approaches implemented in user interfaces, end user systems, networks, or server infrastructure; - case studies of criminal activities; - computer forensics; - impact assessments of criminal activities on the Internet; and - new architectures to prevent Internet crime Track articles run one per issue for a single calendar year. Articles will be run in the order in which they are accepted for publication. ------------------------------------------------------------------------- Elsevier Computer Networks, Special Issue on Botnet Activity: Analysis, Detection and Shutdown, 2012, (Submission Due 1 December 2011) http://www.elsevierscitech.com/dronsite/CFP_SIonBotnetActivity.pdf Editors: Ronaldo Salles (Military Institute of Engineering, Brazil), Guofei Gu (Texas A&M University, USA), Thorsten Holz (Ruhr-University Bochum, Germany), and Morton Swimmer (Trend Micro Deutschland, Germany) Large scale attacks and criminal activities experienced in recent years have exposed the Internet to serious security breaches, and alarmed the world regarding cyber crime. In the center of this problem are the so called botnets -- collections of infected zombie machines (bots) controlled by the botmaster to perpetrate malicious activities and massive attacks. Some recent botnets are composed of millions of infected machines, making use of this attack vector inevitably harmfully. Hence, it is paramount to detect, analyze and shutdown such overlay networks before they become active. This special issue of Computer Networks is intended to foster the dissemination of high quality research in all aspects regarding botnet activity, detection and countermeasures. The objective of this special issue is to publish papers presenting detection algorithms, traffic monitoring and identification, protocols and architectures, as well as botnet modeling, behavior, simulation, statistics, dissemination, analysis, preventive procedures and possible countermeasures. Only technical papers describing previously unpublished, original, state-of-the-art research, and not currently under review by a conference or journal will be considered. We solicit papers in a variety of topics related to botnet research including, but not limited to: - Traffic Monitoring and Detection Algorithms - Data Collection, Statistics and Analysis - Modeling Behavior and Simulation - Protocols and Architectures (IRC, HTTP, P2P, etc) - Firewalls and IDS - Cyber Crime Case Studies - Reverse Engineering and Automated Analysis of Bots - Honeypots and Honeynets - New Platforms: Cellular and Wireless networks, Mobile devices, TV, etc. - Legal Issues and Countermeasures - Underground Markets, Vulnerability Markets and Zero-day Economics - Mini-Botnets ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Hilarie Orman Ulf Lindqvist Purple Streak, Inc. SRI 500 S. Maple Dr. Menlo Park, CA Woodland Hills, UT 84653 (650)859-2351 (voice) ieee-chair@purplestreak.com ulf.lindqvist@sri.com Vice Chair: Chair, Subcommittee on Academic Affairs: Sven Dietrich Prof. Cynthia Irvine Department of Computer Science U.S. Naval Postgraduate School Stevens Institute of Technology Computer Science Department, Code CS/IC +1 201 216 8078 Monterey CA 93943-5118 spock AT cs.stevens.edu (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Newsletter Editor: Security and Privacy Symposium, 2011 Chair: Hilarie Orman Deborah Frincke Purple Streak, Inc. Pacific Northwest National Laboratory 500 S. Maple Dr. deborah.frincke@pnl.gov Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year